Merge pull request #2435 from akhilmhdh/doc/docker-integration

chore: updated documentation for docker compose and docker for machine identity

docs/cli/commands/token.mdx

@@ -4,7 +4,7 @@ description: "Manage your Infisical identity access tokens"
 ---
 
 ```bash 
-infisical service-token renew <ua-access-token>
+infisical token renew <ua-access-token>
 ```
 
 ## Description

docs/integrations/platforms/docker-compose.mdx

@@ -17,13 +17,7 @@ Follow this [guide](./docker) to configure the Infisical CLI for each service th
     Generate a machine identity for each service you want to inject secrets into. You can do this by following the steps in the [Machine Identity](/documentation/platform/identities/machine-identities) guide.
 
     ### Set the machine identity client ID and client secret as environment variables
-    For each service you want to inject secrets into, set two environment variable called `INFISICAL_MACHINE_IDENTITY_CLIENT_ID`, and `INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET` equal to the client ID and client secret of the machine identity(s) you created in the previous step.
-
-    In the example below, we set two sets of client ID and client secret for the services.
-
-    For the web service we set `INFISICAL_MACHINE_IDENTITY_CLIENT_ID_FOR_WEB` and `INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET_FOR_WEB` as the client ID and client secret respectively.
-
-    For the API service we set `INFISICAL_MACHINE_IDENTITY_CLIENT_ID_FOR_API` and `INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET_FOR_API` as the client ID and client secret respectively.
+    For each service you want to inject secrets into, generate the required `INFISICAL_TOKEN_SERVICE_A` and `INFISICAL_TOKEN_SERVICE_B`.
 
     ```yaml
     # Example Docker Compose file
@@ -32,31 +26,25 @@ Follow this [guide](./docker) to configure the Infisical CLI for each service th
         build: .
         image: example-service-1
         environment:
-          - INFISICAL_MACHINE_IDENTITY_CLIENT_ID=${INFISICAL_MACHINE_IDENTITY_CLIENT_ID_FOR_WEB}
-          - INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET=${INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET_FOR_WEB}
+          - INFISICAL_TOKEN=${INFISICAL_TOKEN_SERVICE_A}
 
       api:
         build: .
         image: example-service-2
         environment:
-          - INFISICAL_MACHINE_IDENTITY_CLIENT_ID=${INFISICAL_MACHINE_IDENTITY_CLIENT_ID_FOR_API}
-          - INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET=${INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET_FOR_API}
+          - INFISICAL_TOKEN=${INFISICAL_TOKEN_SERVICE_B}
 
     ```
 
     ### Export shell variables
-    Next, set the shell variables you defined in your compose file. This can be done manually or via your CI/CD environment. Once done, it will be used to populate the corresponding `INFISICAL_MACHINE_IDENTITY_CLIENT_ID` and `INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET` in your Docker Compose file.
+    Next, set the shell variables you defined in your compose file. This can be done manually or via your CI/CD environment. Once done, it will be used to populate the corresponding `INFISICAL_TOKEN_SERVICE_A` and `INFISICAL_TOKEN_SERVICE_B` in your Docker Compose file.
 
     ```bash
     #Example
 
     # Token refers to the token we generated in step 2 for this service
-    export INFISICAL_MACHINE_IDENTITY_CLIENT_ID_FOR_WEB=<client_id>
-    export INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET_FOR_WEB=<client_secret>
-
-    # Token refers to the token we generated in step 2 for this service
-    export INFISICAL_MACHINE_IDENTITY_CLIENT_ID_FOR_API=<client_id>
-    export INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET_FOR_API=<client_secret>
+    export INFISICAL_TOKEN_SERVICE_A=$(infisical login --method=universal-auth --client-id=<your-client-id> --client-secret=<your-client-secret> --silent --plain)
+    export INFISICAL_TOKEN_SERVICE_B=$(infisical login --method=universal-auth --client-id=<your-client-id> --client-secret=<your-client-secret> --silent --plain)
 
     # Then run your compose file in the same terminal.
     docker-compose ...

docs/integrations/platforms/docker.mdx

@@ -81,6 +81,44 @@ CMD ["infisical", "run", "--projectId", "<your-project-id>", "--command", "npm r
   </Step>
 </Steps>
 
+### Using a Starting Script
+
+The drawback of the previous method is that you would have to generate the `INFISICAL_TOKEN` manually. To automate this process, you can use a shell script as your starting command.
+
+<Steps>
+  <Step title="Generate a Machine Identity">
+    Create a machine identity for your project by following the steps in the [Machine Identity](/documentation/platform/identities/machine-identities) guide. This identity will enable authentication and secret retrieval from Infisical.
+  </Step>
+
+  <Step title="Create the Shell Script">
+    Create a shell script to obtain an access token for the machine identity:
+
+    ```bash script.sh
+    #!/bin/sh
+    export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=$INFISICAL_MACHINE_CLIENT_ID --client-secret=$INFISICAL_MACHINE_CLIENT_SECRET --plain --silent)
+    exec infisical run --token $INFISICAL_TOKEN --projectId $PROJECT_ID --env $INFISICAL_SECRET_ENV --domain $INFISICAL_API_URL -- <starting script>
+    ```
+
+    > **Note:** The access token has a limited lifespan. Use the [infisical token renew](/cli/commands/token) CLI command to renew it when necessary.
+		<Warning>
+		Caution: Implementing this directly in your Dockerfile presents two key issues:
+
+		1. Lack of persistence: Variables set in one build step are not automatically carried over to subsequent steps, complicating the process.
+		2. Security risk: It exposes sensitive credentials inside your container, potentially allowing anyone with container access to retrieve them.
+		</Warning>
+  </Step>
+
+  <Step title="Update Your Dockerfile">
+    Grant the Infisical CLI access to the access token, inside your Docker container. This allows the CLI to fetch and inject secrets into your application.
+
+    Add the following line to your Dockerfile:
+
+    ```dockerfile
+    CMD ["./script.sh"]
+    ```
+  </Step>
+</Steps>
+
 </Tab>
 <Tab title="Service Token (Deprecated)">
 ```dockerfile